MCITP 70-640: Active Directory Accounts

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Welcome back to your free Active Directory course. In this video I will look at user and computer accounts in Windows. Accounts in Windows provide the back bone for security in a Windows environment. Any account in Windows, whether it's a user or computer account will have a Sid associated with it. The Sid is a unique number used in security to uniquely identify the account. Shown here are some examples of some Sid’s. The short Sid’s are local user accounts and the longer Sid’s are domain Sid’s. A Sid’s is required as it allows Windows to unique identify a user regardless if the other attributes about the user were to change. If you take the example of a user account, if the user were to change their last name Windows could still identify the user account as belong to the same person because the Sid has not changed. Sid’s are also used for computer accounts and groups. Sid’s provide the unique value that is used to identify these groups and computers inside Active Directory and on the local computer. Once again, if you were to change the name of the group or the computer name, the Sid associated with the group or computer stays the same. When troubleshooting Windows and Active Directory, you will see Sid’s appear from time to time so it is good idea to understand why they are required. If I open RegEdit from the start menu and navigate down through the registry there is a good example of Sid’s used in users profiles. A profile in Windows contains all the user settings, everything from their printer settings to the files on the desktop. By default the profile is in the users directory on the c drive. The profiles listed here contain the basic details of each profile. Each profile is in a folder with the name of the folder as the Sid for that user. The first 3 profiles listed are local profiles. You can tell this because the Sid’s are very short. If I look inside one of the profiles listed, notice the key Profile Image Path. This key contains the directory where the profile is stored. The profile below this with the longer Sid is the domain administrator. The same principal applies. This folder contains details about the administrators profile including the folder where the data for the profile is stored. If the username were to change, for example the user were to change their name, Windows will still know to find the users profile settings in the old folder. You can see why that when a user changes their name, the folder name of their profile name does not change. This is one reason that when a user changes their name I will sometimes create a new user with the different name and transferred over their settings and documents. This method ensures settings like the profile folder are set to the new name. If you do decide to take this approach, make sure there is nothing tied to the old user like certificates. If there is, I would stick to renaming the account. If you want to change the profile folder as well, you can change it in the registry here and also rename it in the users folder as long as they both match Windows will keep using it. If they do not match, Windows will create a new profile when the user logs in. You should now understand why if a user account is deleted; if you were to create a new user with the same name they will not have the same access as the last user. When you create a new user, the new user will have a completely different Sid from the old user and thus will not have access to any of the data that the old user had access to. This is why it is common practice in some companies that when a person leaves their account is disabled. When there replacement is hired, the account is enabled and the account renamed to the new person. This ensures the new employee will have all the same access the old employee had. To demonstrate how a Sid is connected to a user a bit clearer, I will open Windows Explorer and look at the security for a folder I created on the c drive of this computer. I have disconnected this computer from the network so it does not have access to a domain controller. Since the computer can’t access a domain controller, notice that two of the permissions are listed as the Sid rather than the username. If I now reconnect the computer to the network and press edit, notice that Windows will contact a domain controller and get the usernames for the two Sid’s and display the username rather than the Sid’s. This is why you can easily change usernames in Active Directory without having to worry about the effect it will have on permissions. To understand a bit more about how accounts and Sid’s work in Windows, let’s have a look at the process that happens when a user is authenticated by a Domain Controller in a domain. When a user is authenticated by a domain controller an access token is generated for that user. The access token can then be used to access other resources on the network. Inside the access token is the users Sid. When this access token is presented to anther system say a Windows Server, the Sid inside the token can be used by the server to identify who the token belongs to. The server will then look at its access lists to see if that Sid has access. However, as we will see in later videos, good administrators use groups to provide users access and make administration easier. If this user was a member of the sales group for example, once again as we have learnt, the sales group has its own Sid. It is a simple matter of adding the sales group Sid to the users token when it is created. Now when the token is presented to anther system, the other system checks its access list. In this case, the sales group is in the token and on the server local access list so the user will be given access. You may be asking yourself, what would happen if the user was removed from the sales group after the token had been generated? The answer is the user would still have access because the security token contains the Sid for the sales group. The same applies if the user was added to say the Marketing group after the token was created. The user would not have access to any of the Marketing files because the security token does not contain the Sid for the marketing group. To fix problems like these, the user simply needs to log off and log back on. When they log back on a new token will be generated with the new security information. Before I start looking at how to use user accounts in Active Directory, first I want to look at the naming standards that you will see when using accounts in Windows. The old naming standard that dates back to Windows NT is domain\UserName. This was based on the older NetBios naming standard which did not support as many characters as DNS does. The newer standard supports the same naming format that you would use for an e-mail address. For example user@example.com. Windows refers to this naming format as user principal name. In some cases the domain name may be different from the user name used to login. For example, a lot of companies may use an internal DNS name ending in local rather than com. Active directory supports any principal name mapped to any user. Regardless of which system you use, you will need to work out a system of naming that minimizes the number of naming conflicts. An example is first initial dot last name. Some company will even go for longer names like first name dot last name or a simpler standard like lastname first initial. The longer the login name the less likely you will have two users with the same login. For example, if Jane and John Doe both worked for the same company, two of the naming standards here would generate the same login name. In this case an administrator would need to change one of the logins. A lot of administrators will simply add a number to the end one of the logins to make them different. When creating a new user, a pre Windows 2000 logon name will automatically be chosen for you. This name will be used by older clients. Besides Windows systems like Windows 9x and NT, this may also include some older non Microsoft operating systems. Unless you have any old operating system in most cases you won’t need to worry about the pre Windows 2000 logon name. The reason I bring it up is that it is limited to 20 characters. In your naming standard, if you need to use the pre Windows 2000 logon names, consider the 20 character limit when thinking about how your naming standard will work. This covers the basis of accounts in Windows and Active Directory. In the next video I will look at how to create a new user account in Active Directory. Thanks for watching.
Info
Channel: itfreetraining
Views: 81,847
Rating: undefined out of 5
Keywords: Windows Accounts, User Accounts, Sid, Security Token, 70-640, MCITP, MCTS, ITFreeTraining, Active Directory (Software), Software (Industry)
Id: xmGmMUCLCVY
Channel Id: undefined
Length: 10min 2sec (602 seconds)
Published: Tue Apr 17 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.